[BreachExchange] Nova Scotia re-launches FOIPOP website after 152 days of being offline

[Destry Winant]

https://globalnews.ca/news/4428220/nova-scotia-foipop-website-reloaded/

A 152-day saga came to an end on Wednesday as the Nova Scotia
government brought its Freedom of Information and Protection of
Privacy (FOIPOP) website back online after it was revealed in April
that a data breach had exposed social insurance numbers, birth dates
and personal addresses to the general public.

The new website, developed by Red Sky IT Solutions Ltd., launched on Wednesday.

The new website does not currently have the same features its predecessor did.

FOIPOP requests, which are used by journalists, academics, businesses
and activists to obtain government information that is normally
withheld from the public, will still need be filed the old-fashioned
way by pen, paper and snail mail.

Individuals will once again be able to download previously completed
FOI requests, although features such as a payment system, are still
being developed separately. Nova Scotia’s Department of Internal
Services says those services will be rolled out at a later date.

“Only publicly released access to information requests are available
on the site. The site does not host any personal information and is
not connected to the case management system,” said a press release
announcing the launch.

Any releases made since April 1 will soon be available on the site.

“Work is continuing to eventually restore the ability to file [FOIPOP
requests] online. That is separate from the work on the disclosure
site,” said Brian Taylor, a spokesperson for the Department of
Internal Services.

With the service at least partially restored, here’s everything we
know about the breach, the website and what has happened behind the
scenes, detailed through internal emails, briefing documents and
reports obtained through FOIPOP requests.

A worker at the Nova Scotia archives was the first to detect the
breach at the previous FOIPOP website.

In an email sent on the evening of April 4, the employee attempted to
re-enter a URL that linked to a released and redacted document he had
previously accessed through the FOIPOP portal but mistyped the
address.

“Rather than going to another redacted, released document, I ended up
seeing an incoming FOIPOP request … It seems that rather than being
inside the government system, which in itself is a bit of a shaky
practice, the materials are out there, seemingly unprotected, on the
web,” the employee said.

“This isn’t what should be happening. I think you need to do something
about this.”

Provincial officials quickly jumped into action, scrambling through
April 5 to find a solution.

One official wrote that the government should shut down the website
“until we get a grip on things.”

Meddy Stanton, manager of the government’s information access program,
quickly dispatched an email to Unisys, the company employed by the
province, to maintain the FOIPOP portal, which operates using a system
known as AMANDA.

“This is a very serious and unexpected situation,” Stanton wrote in her email.

“There are serious breach and communications implications that must be
managed by us and on a tight timeline.”

With no immediate solution available, the government yanked down the
website at 8:15 a.m. It’s remained that way ever since.

Though there have been promises to find a short-term solution to the
problem, emails indicate that a larger issue was at play in the data
breach.

“This will be a short-term solution that limits functionality, as CSDC
(the vendor which provided AMANDA to the province) will have to modify
their core AMANDA code to permanently fix this security issue,” one
employee writes in an email detailing the solution Unisys provided to
the province.

At the time, the province said more than 7,000 documents were
inappropriately downloaded as a result of the breach, while 369 of the
documents contained “highly sensitive” personal information such as
social insurance numbers, birth dates and personal addresses.

Of the 369 documents containing highly sensitive personal information,
273 (74 per cent) came from the Department of Community Services,
which deals with income assistance, employment support and child and
youth services.

Arrest of Halifax teenager

Halifax Regional Police arrested a 19-year-old on April 11 after
searching his home, but three weeks later issued a news release saying
they would not charge the teen, as “the 19-year-old who was arrested …
did not have intent to commit a criminal offence.”

Halifax police said the young man was arrested under a rarely used
section of the Criminal Code that prohibits the unauthorized use of a
computer with fraudulent intent.

The teen later told CBC that his arrest had been carried out by
approximately 15 officers.

The police’s initial decision to charge the 19-year-old drew heavy
criticism from the tech community in Canada. Critics say police
“overreached” for something that is a common action in the technology
field.

Search warrants indicate that a Nova Scotia civil servant told police
somebody “hacked” into the province’s freedom of information website,
however internal government documents indicate that the province
understood the problem to be an issue regarding vulnerability in the
AMANDA program and not an attack with malicious intent.

Two separate investigations into the government’s handling of its
citizens’ privacy are still ongoing.

Catherine Tully, the province’s privacy and information commissioner,
has also been informed of the breach and is now launching her own
investigation into whether the Department of Internal Services was in
compliance with the province’s Freedom of Information and Protection
of Privacy Act.

“The investigation will focus in particular on the adequacy of the
security of the system,” wrote Tully in a press release.

An investigation by Nova Scotia auditor general Michael Pickup is also
underway. He’s set to perform an audit of the province’s privacy
services.